CVE-2025-1529 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the AM LottiePlayer plugin for WordPress, developed by johanaarstein. This vulnerability exists in all versions up to and including 3.5.3. The root cause is improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and output escaping of uploaded Lottie animation files. Authenticated users with Author-level privileges or higher can exploit this flaw by uploading maliciously crafted Lottie files containing embedded scripts. These scripts are then stored on the server and executed in the context of any user who views the affected page, leading to arbitrary script execution. The vulnerability has a CVSS 3.1 base score of 6.4 (medium severity), with an attack vector of network (remote), low attack complexity, requiring privileges (Author or above), no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. The impact includes limited confidentiality and integrity loss, but no availability impact. No patches or known exploits in the wild have been reported as of the publication date (May 1, 2025). The vulnerability is particularly dangerous because it allows persistent XSS, which can be used for session hijacking, privilege escalation, or delivering further payloads within the victim’s browser context. Since the attack requires authenticated access at Author level or above, it is limited to users with some level of trust on the WordPress site, but many WordPress sites allow multiple authors or contributors, increasing the attack surface. The vulnerability affects websites using the AM LottiePlayer plugin, which is used to embed and render Lottie animations on WordPress pages, popular among sites leveraging rich media content.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress sites with multiple authors or contributors and using the AM LottiePlayer plugin. Exploitation could lead to unauthorized script execution in the browsers of site visitors or administrators, potentially resulting in session hijacking, theft of sensitive information, defacement, or further malware delivery. This can damage organizational reputation, lead to data breaches involving personal data protected under GDPR, and cause operational disruptions. Sectors such as media, e-commerce, education, and government agencies that use WordPress extensively are at higher risk. The scope change in the CVSS vector suggests that the vulnerability could affect components beyond the plugin itself, possibly impacting other integrated systems or plugins. Although no known exploits are currently reported, the medium severity and ease of exploitation by authenticated users mean that attackers who gain Author-level access (e.g., via phishing or credential compromise) could leverage this vulnerability to escalate attacks. The lack of required user interaction for the victim increases risk for site visitors and administrators alike. Given the widespread use of WordPress in Europe and the popularity of Lottie animations for rich content, the vulnerability poses a tangible threat to the confidentiality and integrity of affected sites and their users.

1. Immediate mitigation should include restricting Author-level access to trusted users only and reviewing existing user roles to minimize privilege creep. 2. Implement strict input validation and sanitization on uploaded Lottie files, ideally by disabling or filtering any embedded scripts or suspicious content before upload. 3. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the domains from which scripts can be loaded, reducing the impact of injected scripts. 4. Monitor and audit WordPress user activities and uploaded content for anomalies or unauthorized changes. 5. Consider temporarily disabling the AM LottiePlayer plugin if it is not essential, until a vendor patch is released. 6. Use Web Application Firewalls (WAFs) configured to detect and block typical XSS payloads targeting Lottie files or plugin endpoints. 7. Educate site administrators and authors on phishing and credential security to prevent unauthorized access. 8. Regularly update WordPress core and plugins, and subscribe to vendor advisories for patch releases. 9. For developers, review and enhance the plugin’s codebase to implement proper output encoding and input sanitization following OWASP guidelines for handling JSON-based animation files. 10. Conduct penetration testing focusing on stored XSS vectors in media upload features to identify similar vulnerabilities proactively.